I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

For a few German hackers, breaking Apple’s much-hyped fingerprint reader seems to have been little more than a one-weekend project.

On Sunday, the Berlin-based hacker group known as the Chaos Computer Club–and more specifically a member of the group who goes by the name Starbug–announced that they’ve managed to crack the iPhone 5s’s fingerprint reader just two days after it was released.

“A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID,” reads the announcement on the CCC’s website. “This demonstrates – again – that fingerprint biometrics is unsuitable as [an] access control method and should be avoided.”

In the YouTube video posted along with their announcement, (above) a CCC hacker demonstrates that he or she can register an index finger on the phone, and then, by covering the same hand’s middle finger with piece of latex with the spoofed index finger print, access the phone in seconds.

Here’s the group’s step-by-step description of how their spoofed fingerprint trick works:

First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.

The CCC takes the opportunity to puncture the “bogus speculation about the marvels of the new technology and how hard to defeat it is,” and writes that this process differs only slightly from a method Starbug posted nearly ten years ago. The only difference, according to Starbug, is the relatively high resolution image that Apple’s reader requires.

I’ve contacted Apple for their thoughts on the CCC TouchID hack, and I’ll update this post if I hear from the company. I’ve also reached out the CCC for more information about how their hack works.

Since Wednesday night, hackers have been pooling together nearly $20,000 in cash pledges and donations in the cryptocurrency Bitcoin, along other items like bottles of whiskey and wine, as a reward for the first individual to successfully hack TouchID and prove it in a video. On the website IsTouchIDHackedYet.com, the status shifted Sunday from “No!,” to “Maybe!” Security researcher Robert David Graham, one of the creators of that bounty project, says he’s currently communicating with CCC hackers to confirm that their trick works and falls within the county’s rules–specifically that a finger from a person other than the phone’s owner rather than just a different finger from the same person can be used to break TouchID.

Update: Starbug has uploaded another video showing that the trick also works with another person’s finger wearing the latex spoofed fingerprint:

Update 2: And now IsTouchIDHackedYet.com has declared the hack official. Although one major bounty donor seems to have reneged, the reward for hacking TouchID stands at close to $10,000, which will go to Starbug.

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics,” writes CCC spokesperson Frank Rieger. “It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token.”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

Unless you are a double agent, with international spies after you, or people in law enforcement chasing you, this hack means nothing. I just don’t need to Joe douche bag in the back seat of the taxi after I get out accessing my phone. I can leave fingerprints all over that taxi and it won’t make a bit of difference. The phone is still secure. Under normal circumstances.

I partially agree… What if a doctor was using the phone to access your medical information or a police officer to access your criminal records or your accountant to access your financial data? This is where this type of technology is commonly used today and in the majority of cases government entities prohibited access from iOS due to the lack of security. Apple purchased Authentec last year for $350M+ then sold the embedded reader division to Digital Persona. Digital Persona’s readers are used throughout healthcare, law enforcement, and enterprises to authenticate access to critical data. I work at a company that develops authentication technology and I was delighted to hear that Apple was finally doing something about the lack of strong authentication to their devices. We also sell fingerprint biometric solutions as “good enough” security as you state above. The big question is where the technology should and should not be used. Unfortunately this is a major step back for biometrics. I will say their are better readers that are sold by Digital Persona and other companies that this exploit would fail on. The trick for Apple was to fit it into a tiny button on a phone.

Well it looks like the iPhone will still have to be banned for this type of serious usage. For now at least, until Apple fix it or come up with something better. Anyway, it will take some time until they know that it’s safe enough. I wouldn’t agree it’s a major step back for biometrics. It’s basically same old, or better said a step forward that isn’t yet as big as we thought. And we should wait for Apple’s response before we reach an opinion. It could be just the begin of a normal maturing process IMO.

Since you say you work in authentication, I’ll ask again: why don’t they just make a strong authentication (like RSA) ring ? Out of fear that it can be lost or stolen ? It’s pretty difficult to steal a ring though. Unless they break into your home at night and you happen to have taken it off for the night (which you shouldn’t normally). As for losing it, you should take care you don’t. And anyway it’s harder to lose than a credit card. Additional safety mechanisms could also be employed I guess.

Simpler question: why don’t they use cryptography with credit cards ? I hear there are some that are called chip and PIN. While they look to be an improvement over the plain ones, as far as I can say they’re not truly cryptographic.

Sorry if it seems off-topic, but it’s related to the iPhone and its fingerprint scanner in that at some point current credit card technology will have to be changed, and the question is what will replace it.

Lol, another typical anti-Apple article published on Forbes. Of course fingerprint isn’t 100% hacker-proof, but do you think a 4-digit password is better? Simple math tells you there are only 1000 combinations to guess if you really want to unlocked someone’s password protected iPhone.

Look how much trouble those hackers went through to break the fingerprint security mechanism – ” First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution … breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.”

Does the author think this would happen in a typical user scenario? If you have some extremely sensitive, national-security-like information, you really shouldn’t put it on your phone anyways. Otherwise, if you only store some contacts, emails, and photos on your phone, the Touch-ID is more than sufficient to protect your information. If there’s a hacker going to steal it, he’s going to steal it anyways, be it fingerprint or password protecting it. Any person with a normal IQ knows fingerprint makes the stealing much more difficult.

This article is sensational journalism at its worst. The author even quoted, “ This demonstrates – again – that fingerprint biometrics is unsuitable as [an] access control method and should be avoided.” So freaking laughable! Well, you use whatever security method to protect your privacy. I’ll enjoy the convenience of the Touch-ID.

Eric, it’s far harder to bruteforce an iPhone’s passcode than you’re imagining. After a few tries, the phone is disabled for one minute, then after a few more tries, five minutes, and so on. The latex attack is likely more practical. Of course, the fingerprint reader is more convenient. The decision between security and convenience is up to you.

Did you hear/read something about this attack that I missed? How is this attack *practical* if it requires a high-resolution, non-smudged fingerprint of the registered user? As far as I know, you can’t get such high quality photos from fingerprints lifted off a glass, CSI style.

The CCC writes only that “a fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID.” What makes you think an accurate fingerprint like this can’t be lifted from a glass? I just tried holding a pint glass, for instance, and it left behind a pretty good thumb print.

“it left behind a pretty good thumb print”. “pretty good” may not be sufficient: you have to get it off your (presumably) rounded glass and lay it flat so a photo/scan can be taken. The act of getting it off the glass will lose some precision as will the act of laying it flat & scanning. I strongly suspect, CCC had someone transfer put their print directly onto a flat piece of clear glass – and photgraphed/scanned that.

Perhaps, twolf. We’ll see as more information comes out of the CCC and more people experiment with and improve this technique. I have a feeling that we’ll discover over time that it’s easier to perform, not harder. That’s usually how such exploits go.

If someone is really paranoid about their data, they should not be using their thumbs or index fingers to begin with. The ring finger and the pinky are a much better choice because those fingers rarely will leave with a clear print anywhere. Many people won’t even touch the glass with their pinky when they pick one up.

Except the same fingerprints that they supposedly lifted from your phone to fool Touch ID also would give away what four buttons you press the most often when using the password. That turns a 1-in-10,000 chance into 1-in-24. That said, the fact that it was hacked this quickly likely means some companies will be reluctant to change their enterprise profiles to allow Touch ID instead of a passcode. It also will likely limit Touch ID to unlocking the phone and Apple purchases for now. Maybe the hacking risk is why Apple didn’t release the APIs for third party use right away.

On another note, doesn’t DHS use fingerprint scanning at the border for foreign visitors?